CVE-2026-44446: SQL Injection in ERPNext
Platform
php
Component
erpnext
Fixed in
16.14.0
CVE-2026-44446 describes a SQL Injection vulnerability discovered in ERPNext, a popular open-source Enterprise Resource Planning (ERP) tool. This flaw allows unauthorized access to sensitive data through specially crafted requests targeting vulnerable endpoints. The vulnerability affects versions 16.0.0-beta.1 up to, but not including, version 16.14.0. A patch has been released in version 16.14.0 to address this issue.
Impact and Attack Scenarios
Successful exploitation of this SQL Injection vulnerability could grant an attacker the ability to extract sensitive information stored within the ERPNext database. This could include user credentials, financial data, customer information, and other confidential business records. Depending on the database configuration and permissions, an attacker might even be able to modify or delete data, leading to significant operational disruption and potential financial losses. The blast radius extends to any system or service relying on the compromised ERPNext data, potentially impacting downstream processes and integrations.
Exploitation Context
As of the publication date, there is no public evidence of CVE-2026-44446 being actively exploited in the wild. However, the SQL Injection vulnerability type is frequently targeted, and the availability of the vulnerability details increases the risk of future exploitation. The vulnerability was published on 2026-05-13, and its severity is rated HIGH with a CVSS score of 8.8, indicating a significant potential for exploitation. No KEV or EPSS score is currently available.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-44446 is to upgrade ERPNext to version 16.14.0 or later, which includes the necessary security patch. If immediate upgrading is not feasible, consider implementing temporary workarounds such as input validation and sanitization on all user-supplied data entering SQL queries. Web Application Firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can also provide an additional layer of defense. After upgrading, verify the fix by attempting a SQL Injection payload on a known vulnerable endpoint and confirming that it is blocked or handled safely.
How to fix
Actualice ERPNext a la versión 15.104.3 o 16.14.0 para mitigar la vulnerabilidad de inyección SQL. Asegúrese de realizar una copia de seguridad de su base de datos antes de aplicar la actualización. Verifique la documentación oficial de ERPNext para obtener instrucciones detalladas sobre el proceso de actualización.
Frequently asked questions
What is CVE-2026-44446 — SQL Injection in ERPNext?
CVE-2026-44446 is a HIGH severity SQL Injection vulnerability affecting ERPNext versions 16.0.0-beta.1 through 16.14.0. It allows attackers to extract sensitive data via crafted requests.
Am I affected by CVE-2026-44446 in ERPNext?
You are affected if you are running ERPNext versions 16.0.0-beta.1 up to, but not including, version 16.14.0. Check your ERPNext version immediately.
How do I fix CVE-2026-44446 in ERPNext?
Upgrade ERPNext to version 16.14.0 or later to resolve the vulnerability. Implement temporary workarounds like input validation if immediate upgrading is not possible.
Is CVE-2026-44446 being actively exploited?
There is currently no public evidence of active exploitation, but the vulnerability's severity and public disclosure increase the risk of future attacks.
Where can I find the official ERPNext advisory for CVE-2026-44446?
Refer to the official ERPNext security advisory for detailed information and updates: [https://github.com/frappe/erpnext/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...